Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help fixing computer - running slowly suspect malaware


  • Please log in to reply

#1
jn cruz

jn cruz

    New Member

  • Member
  • Pip
  • 8 posts
Hi everybody,

I'm couting on you to help me fix my computer. A few days ago my computer started to run very laisy (it's realy slow - rebooting may take about 10 minutes!!!).

Also i'm getting pop up IE Windows every 5 minutes form diferent sources :help:

I've run adware and Ewido and somethings were found and cleaned! I guess :whistling:

I've found a process running in task manager that "consumes" a lot of the CPU, called AVP32.exe

None of my protection software did mamaged to remove it (adware, ewido, kaspersky) and pop up windows still appear.

Please help, i'm getting desperate :blink:

Thaks to all of you amasing guys

Here is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:40:40, on 03-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\Dinamic DNS Client\ddnsclnt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~2\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~2\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\progra~2\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~2\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchIndexer.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\calc.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchFilter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchFilter.exe
C:\Documents and Settings\Nuno\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FA4A6D4-691E-40EC-63D4-11830BCFF5BE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Barra do MSN Busca Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\pt-br\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~2\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Barra do MSN Busca - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\pt-br\msntb.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Cdromfourdentfile] C:\Documents and Settings\All Users.WINDOWS\Application Data\locks name cdrom four\List Mix.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Fast Sign] C:\DOCUME~1\Nuno\APPLIC~1\EXTRAH~1\view 4.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Utilitário de configurações da Lexmark X125.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: &MSN Busca - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\pt-br\msntb.dll/search.htm
O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\pt-br\msntabres.dll/229?fd0b4495ff584c62828ba99d5a4f51
O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\pt-br\msntabres.dll/230?fd0b4495ff584c62828ba99d5a4f51
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.cm-tavira...bs/mgaxctrl.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~2\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~2\COMMON~1\Stardock\mcpstub.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: Dinamic DNS Client (DinamicDNSClient) - INOVAnet, Lda. - C:\Program Files\Dinamic DNS Client\ddnsclnt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~2\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by jn cruz, 03 October 2006 - 04:57 PM.

  • 0

Advertisements


#2
jn cruz

jn cruz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello,

Sorry for reposting this question, but somethings have changed since yesterday.

After running again ewido and correcting some of the things he found, i'm keeping the same issues plus another one! :whistling:

Now everytime I try to run an aplication the computers stars "Windows Installer" !!!!!

Please give me a hand on this! :blink:

Best to you all!

João Nuno Cruz
  • 0

#3
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
jn cruz,

Hi, and welcome to Geeks to Go. I'm sorry you've had to wait for a reply - we get very busy here.

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

Please make sure you post the NoLop log and a new hijackthis log.

Thanks,

sari
  • 0

#4
jn cruz

jn cruz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello and Thank you Sari,

Since mais last post i've uninstaled Kaspersky (now i'm running with no Antivirus) and the computer runs faster, I guess almost normal, but this not a solution :blink:

I've done like you said. NoLop found and cleaned something, but after reboting as I was opening IE, a Pop Up apeared (casino something...)!! :whistling:

Here is the log NoLop created...

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Nuno\Desktop
[06-10-2006]
[21:44:24]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\BF0ECD519CA54B65.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrador\Application Data\Microsoft
C:\Documents and Settings\Administrador.desktop\Application Data\Ati
C:\Documents and Settings\Administrador.desktop\Application Data\Identities
C:\Documents and Settings\Administrador.desktop\Application Data\Locktime
C:\Documents and Settings\Administrador.desktop\Application Data\Macromedia
C:\Documents and Settings\Administrador.desktop\Application Data\Microsoft
C:\Documents and Settings\Administrador.desktop\Application Data\Msn Search Toolbar
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users.windows\Application Data\Acd Systems
C:\Documents and Settings\All Users.windows\Application Data\Adobe
C:\Documents and Settings\All Users.windows\Application Data\Ahead
C:\Documents and Settings\All Users.windows\Application Data\Autodesk
C:\Documents and Settings\All Users.windows\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\All Users.windows\Application Data\Bvrp Software
C:\Documents and Settings\All Users.windows\Application Data\Dvd Shrink
C:\Documents and Settings\All Users.windows\Application Data\Intervideo
C:\Documents and Settings\All Users.windows\Application Data\Locks Name Cdrom Four
C:\Documents and Settings\All Users.windows\Application Data\Macrovision
C:\Documents and Settings\All Users.windows\Application Data\Microsoft
C:\Documents and Settings\All Users.windows\Application Data\Msn Search Toolbar
C:\Documents and Settings\All Users.windows\Application Data\Msn6
C:\Documents and Settings\All Users.windows\Application Data\Nfs Underground
C:\Documents and Settings\All Users.windows\Application Data\Olympus
C:\Documents and Settings\All Users.windows\Application Data\Quicktime
C:\Documents and Settings\All Users.windows\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users.windows\Application Data\Symantec
C:\Documents and Settings\All Users.windows\Application Data\Trymedia
C:\Documents and Settings\All Users.windows\Application Data\Viewpoint
C:\Documents and Settings\All Users.windows\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User.windows\Application Data\Microsoft
C:\Documents and Settings\Inovasis\Application Data\Ati
C:\Documents and Settings\Inovasis\Application Data\Identities
C:\Documents and Settings\Inovasis\Application Data\Locktime
C:\Documents and Settings\Inovasis\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice.nt Authority\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Localservice.nt Authority.000\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Networkservice.nt Authority.000\Application Data\Microsoft
C:\Documents and Settings\Nuno\Application Data\Adobe
C:\Documents and Settings\Nuno\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Nuno\Application Data\Ahead
C:\Documents and Settings\Nuno\Application Data\Ati
C:\Documents and Settings\Nuno\Application Data\Autodesk
C:\Documents and Settings\Nuno\Application Data\Azureus
C:\Documents and Settings\Nuno\Application Data\Corel
C:\Documents and Settings\Nuno\Application Data\Dvdcss
C:\Documents and Settings\Nuno\Application Data\Extrahold
C:\Documents and Settings\Nuno\Application Data\Flashfxp
C:\Documents and Settings\Nuno\Application Data\Gearbox Software -- EMPTY Directory
C:\Documents and Settings\Nuno\Application Data\Google
C:\Documents and Settings\Nuno\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Nuno\Application Data\Identities
C:\Documents and Settings\Nuno\Application Data\Intervideo
C:\Documents and Settings\Nuno\Application Data\Jasc Software Inc
C:\Documents and Settings\Nuno\Application Data\Kazaa Lite
C:\Documents and Settings\Nuno\Application Data\Lavasoft
C:\Documents and Settings\Nuno\Application Data\Leadertech
C:\Documents and Settings\Nuno\Application Data\Locktime
C:\Documents and Settings\Nuno\Application Data\Macromedia
C:\Documents and Settings\Nuno\Application Data\Microsoft
C:\Documents and Settings\Nuno\Application Data\Msn Search Toolbar
C:\Documents and Settings\Nuno\Application Data\Msn6
C:\Documents and Settings\Nuno\Application Data\Netpumper
C:\Documents and Settings\Nuno\Application Data\Shareaza
C:\Documents and Settings\Nuno\Application Data\Sun
C:\Documents and Settings\Nuno\Application Data\Symantec
C:\Documents and Settings\Nuno\Application Data\The Labyrinth Plus! Edition
C:\Documents and Settings\Nuno\Application Data\Thq -- EMPTY Directory
C:\Documents and Settings\Nuno\Application Data\Wanr -- EMPTY Directory
C:\Documents and Settings\User\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\User\Application Data\Identities
C:\Documents and Settings\User\Application Data\Microsoft


And here the fresh HiJackThis Log...

Logfile of HijackThis v1.99.1
Scan saved at 22:07:37, on 06-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Dinamic DNS Client\ddnsclnt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~2\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~2\MI3AA1~1\rapimgr.exe
c:\progra~2\intern~1\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchIndexer.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchFilter.exe
C:\Documents and Settings\Nuno\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FA4A6D4-691E-40EC-63D4-11830BCFF5BE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Barra do MSN Busca Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\pt-br\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~2\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Barra do MSN Busca - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\pt-br\msntb.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Cdromfourdentfile] C:\Documents and Settings\All Users.WINDOWS\Application Data\locks name cdrom four\List Mix.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Fast Sign] C:\DOCUME~1\Nuno\APPLIC~1\EXTRAH~1\view 4.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Utilitário de configurações da Lexmark X125.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: &MSN Busca - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\pt-br\msntb.dll/search.htm
O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\pt-br\msntabres.dll/229?fd0b4495ff584c62828ba99d5a4f51
O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\pt-br\msntabres.dll/230?fd0b4495ff584c62828ba99d5a4f51
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.cm-tavira...bs/mgaxctrl.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~2\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~2\COMMON~1\Stardock\mcpstub.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dinamic DNS Client (DinamicDNSClient) - INOVAnet, Lda. - C:\Program Files\Dinamic DNS Client\ddnsclnt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~2\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

What should I do now?

Thanks a lot

João Nuno Cruz
  • 0

#5
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
jncruz,

Ok, it looks like you might have a new variant of lop, so I need you to upload some files for me.

Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\Documents and Settings\All Users.WINDOWS\Application Data\locks name cdrom four\List Mix.exe
  • Click on the next filename entry box
  • Browse for this filename: C:\Documents and Settings\Nuno\Application Data\Extrahold\view 4.exe
  • In the comments, please state "new lop files"
  • Click on Send File
Thanks,

sari
  • 0

#6
jn cruz

jn cruz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello,

I've uploaded the files you asked for. Yesterday, for any reason I don't know, couldn't post in the forum.

Thanks

João Nuno Cruz
  • 0

#7
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
Hi,

I got your pm - I'm not sure why you couldn't post. Yes, please upload those other to files for me :whistling:.

sari
  • 0

#8
jn cruz

jn cruz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello,

Once again didn't manage to post while using home computer!

So, i'm at work know hopping for you precious help. I've uploaded the other two files.

Thanks

João Nuno Cruz
  • 0

#9
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
jncruz,

I'm waiting for the developer of the nolop program to get back to me about those files. As soon as I hear anything, I'll post an updated fix here.

sari
  • 0

#10
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
jncruz,

I don't want to keep you waiting, so we're going to take care of this the old-fashioned way.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • If it wants to install an ActiveX component allow it
  • Select either Home User or Company
  • Click the big Scan Now button
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Please post the Activescan report and a new hijackthis log for me.

Thanks,

sari
  • 0

#11
jn cruz

jn cruz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
HEllo again Sari,


Here are the logs you asked for:

Activescan log:

Incident Status Location

Adware:adware/razespyware Not disinfected c:\windows\system32\page.htm
Virus:trj/torpig.a Disinfected Operating system
Virus:trj/dowcen.a Disinfected Operating system
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Nuno\Application Data\Registry Cleaner
Adware:adware/portalscan Not disinfected Windows Registry
Dialer:dialer.bqw Not disinfected hkey_current_user\software\microsoft\internet explorer\main\conc
Adware:adware/dollarrevenue Not disinfected Windows Registry
Virus:trj/downloader.coy Disinfected Operating system
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
Adware:adware/azesearch Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Dialer:dialer.dk Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{91433D86-9F27-402C-B5E3-DEBDD122C339}
Adware:Adware/ISearch Not disinfected C:\dhjtmkb.exe
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-70845f9c.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-70845f9c.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-70845f9c.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-70845f9c.zip[NewURLClassLoader.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-3148e4f9.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-3148e4f9.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-3148e4f9.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-7e09d0a6-3148e4f9.zip[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-12cdc751-5e4a1e55.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-12cdc751-5e4a1e55.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-12cdc751-5e4a1e55.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-12cdc751-5e4a1e55.zip[Parser.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-782e21e8.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-782e21e8.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-782e21e8.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-782e21e8.zip[Parser.class]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Nuno\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nuno\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nuno\Cookies\[email protected][1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Nuno\Cookies\[email protected][2].txt
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Nuno\Desktop\PC Tools Registry Mechanic 5[1].2.0.310.rar[crack.exe]

Logfile of HijackThis v1.99.1
Scan saved at 12:18:12, on 15-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Dinamic DNS Client\ddnsclnt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~2\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~2\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchIndexer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchFilter.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Documents and Settings\Nuno\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4FA4A6D4-691E-40EC-63D4-11830BCFF5BE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Barra do MSN Busca Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar

Suite\TB\02.05.0000.1082\pt-br\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} -

C:\PROGRA~2\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Barra do MSN Busca - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar

Suite\TB\02.05.0000.1082\pt-br\msntb.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [NetLimiter] "C:\Program Files\NetLimiter\nluninst.exe" /afterreboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Utilitário de configurações da Lexmark X125.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar

Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: &MSN Busca - res://C:\Program Files\MSN Toolbar

Suite\TB\02.05.0000.1082\pt-br\msntb.dll/search.htm
O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Program Files\MSN Toolbar

Suite\TAB\02.05.0000.1110\pt-br\msntabres.dll/229?fd0b4495ff584c62828ba99d5a4f51
O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Program Files\MSN Toolbar

Suite\TAB\02.05.0000.1110\pt-br\msntabres.dll/230?fd0b4495ff584c62828ba99d5a4f51
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program

Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program

Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\system32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\system32\link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program

Files\googlenav.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) -

http://www.cm-tavira...bs/mgaxctrl.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -

http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...pDownloader.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) -

https://disney.go.co...GameManager.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~2\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~2\COMMON~1\Stardock\mcpstub.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dinamic DNS Client (DinamicDNSClient) - INOVAnet, Lda. - C:\Program Files\Dinamic DNS

Client\ddnsclnt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL

Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton

SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~2\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL

Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe

Thanks once again.
João Nuno Cruz

Edited by jn cruz, 15 October 2006 - 05:50 AM.

  • 0

#12
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
jncruz,

Well, all your LOP folders seem to have gone away, which is a good thing, and we're just left with some clean up now.

First, we want to clear your java cache, since it's full of things you don't want.

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {4FA4A6D4-691E-40EC-63D4-11830BCFF5BE} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete these files using Windows Explorer(if present):

c:\windows\system32\page.htm
C:\dhjtmkb.exe
C:\Documents and Settings\Nuno\Desktop\PC Tools Registry Mechanic 5[1].2.0.310.rar[crack.exe]

After that, Reboot.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please post another hijackthis log and let me know how things are running.

sari
  • 0

#13
jn cruz

jn cruz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Sari,

I've not apologise before about my english but my native language is Portuguese, but i think we've understood each other very well.

I think things are running way better now, as they were on the last few days. Although, it seems that system is a little instable. The first time i've rebooted on you instructions i had to reset the computer because it was saying "Shuting Down" for about 5 minutes without any HDD activity!!!

The pop ups seamed to having disapeared and the computer runs faster!! :whistling:

I think i've a lot of "junk" from older apps instalations that are not installed anymore but are still here. Maybe the best was to format hdd but i've no courage because i use a corporate app under sql server that i'll not be able to reinstall myself.

At this moment i'm running without any Anti-virus / Anti-Malaware software (only Windows Defender) so if you can indicate the best option it would be great :blink:

Here is the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:17:45, on 19-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dinamic DNS Client\ddnsclnt.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~2\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~2\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\PROGRA~2\MI3AA1~1\rapimgr.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchIndexer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchFilter.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearchFilter.exe
C:\Documents and Settings\Nuno\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Barra do MSN Busca Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\pt-br\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~2\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Barra do MSN Busca - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\pt-br\msntb.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Utilitário de configurações da Lexmark X125.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\pt-br\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: &MSN Busca - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\pt-br\msntb.dll/search.htm
O8 - Extra context menu item: Abrir em uma nova guia do plano de fundo - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\pt-br\msntabres.dll/229?fd0b4495ff584c62828ba99d5a4f51
O8 - Extra context menu item: Abrir em uma nova guia do primeiro plano - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\pt-br\msntabres.dll/230?fd0b4495ff584c62828ba99d5a4f51
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\system32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\system32\link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~2\MI3AA1~1\INetRepl.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.cm-tavira...bs/mgaxctrl.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.googl...g/GoogleNav.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~2\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~2\COMMON~1\Stardock\mcpstub.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dinamic DNS Client (DinamicDNSClient) - INOVAnet, Lda. - C:\Program Files\Dinamic DNS Client\ddnsclnt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~2\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thanks again

João Nuno Cruz
  • 0

#14
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
jncruz,

Your English was fine! Much better than my Portugese (since I don't speak that at all :whistling: ).

Here are some tips to reduce the potential for spyware infection in the future. I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

Thanks for visiting Geeks to Go!

sari
  • 0

#15
jn cruz

jn cruz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Sari,

I'm sorry for replying just today, but i've experiencing some problems with my computer.

All Pop Up's have disapeared, but my Internet Connection (Cable) it's weird! After about 10-15 minutes the connection is lost and i'm not able to refresh IP Adress without restarting the computer.

I've installed the aplications i've recomended but I think that this is too much to my old computer (Athlon XP +3200) and is is a little slow! At least I know i'me well protected!

Thank You for you GREAT HELP! :whistling:

João Nuno Cruz
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP